I. Field of the Invention
The present invention relates to digital telephone technology in general, and the authentication of mobile stations in cellular telephone systems in particular.
II. Description
The field of wireless communications has many applications including, for example, cordless telephones, paging, wireless local loops, and satellite communications systems. A particularly important application is cellular telephone systems for mobile subscribers. (As used herein, the term xe2x80x9ccellular systemsxe2x80x9d includes both cellular and PCS frequencies.) Various over-the-air interfaces have been developed for such cellular telephone systems including, for example, frequency division multiple access (FDMA), time division multiple access (TDMA), and code division multiple access (CDMA). In connection therewith, various domestic and international standards have been established including, for example, Advanced Mobile Phone Service (AMPS), Global System for Mobile (GSM), and Interim Standard 95 (IS-95). In particular, IS-95 and its derivatives, IS-95A, ANSI J-STD-008, etc. (collectively referred to herein as IS-95), are promulgated by the Telecommunication Industry Association (TIA) and other well known standards bodies.
Cellular telephone systems configured in accordance with the IS-95 standard employ CDMA signal processing techniques. An exemplary cellular telephone system configured substantially in accordance with the IS-95 standard is described in U.S. Pat. No. 5,103,459, which is assigned to the assignee of the present invention and fully incorporated herein by reference. The aforesaid patent illustrates transmit, or forward-ink, signal processing in a CDMA base station. Exemplary receive, or reverse-link, signal processing in a CDMA base station is described in U.S. patent application Ser. No. 08/987,172, filed Dec. 9, 1997, entitled MULTICHANNEL DEMODULATOR, now abandoned, which is assigned to the assignee of the present invention and fully incorporated herein by reference.
In cellular telephone systems generally, mobile subscriber units, or mobile stations, must be authenticated by a base station. Authentication is the process by which information is exchanged between a mobile station and a base station for the purpose of confirming the identity of the mobile station. Cellular communications standards typically define procedures for authentication of mobile stations. Cellular standards published by the TIA provide two methods for authenticating mobile stations, the xe2x80x9cunique challengexe2x80x9d method and the xe2x80x9cbroadcast challengexe2x80x9d method. TIA standards utilizing the foregoing authentication methods include, for example, IS-91 (an AMPS standard), IS-54 (a TDMA standard defining analog control channels), IS-136 (a TDMA standard defining digital control channels) and IS-95.
The unique challenge method is well known to those having skill in the art. In systems utilizing this method the cellular infrastructure (base station and/or base station controller) sends a challenge value to a mobile station, and the mobile station sends a response that is computed from the challenge, the mobile station identifier and secret data known only to the base station and the mobile station (assuming the mobile station is a legitimate mobile station). If the response is correct, the cellular infrastructure provides access to services such as telephone connections. The unique challenge method however has the disadvantage that the time required to complete the challenge-response process can be relatively long and unduly delay call setup. For this reason, the broadcast challenge method has been included in TIA cellular standards as a means of providing rapid authentication of requests for access to cellular services.
Under the broadcast challenge method of authentication, a challenge value (referred to in general as xe2x80x9cRANDxe2x80x9d) is broadcast on a cellular control channel to mobile stations. The mobile stations store this challenge value when they receive them and subsequently use it, together with other stored information, when they request access to cellular services from the base station.
Authentication procedures are used by cellular telephone systems in a number of situations. For instance, base stations often require authentication of mobile station registrations, originations and terminations. Registration is the process by which a mobile station identifies its location and sends certain parameters to a base station. Origination procedures are instituted when a user directs the mobile station to initiate a call. Termination procedures are instituted when another party places a call to a mobile station, and the mobile station responds to a page message in order to accept the call.
In IS-95 configured CDMA systems, a mobile station will be authenticated only when the base station determines that both it and the mobile station possess identical sets of Shared Secret Data (SSD) and an identical Random Challenge Value (RCV). SSD is a 128-bit quantity that is known to both the base station and a mobile station, and is stored by the mobile station in its semi-permanent memory. The first 64 bits of SSD comprise the numerical value SSD A and the remaining 64 bits comprise the numerical value SSD B. SSD A is used in the authentication process, while SSD B is used in the voice privacy and message encryption processes. The RCV is a 32-bit number that corresponds to the challenge value used in the broadcast challenge method of authentication referred to above and will be discussed in more detail below. The 8 most significant bits of the RCV are sometimes referred to as RANDC, while the 24 least significant bits of the RCV are sometimes referred to as RANDL.
In the context of a mobile station origination in an IS-95 configured CDMA cellular telephone system, a typical mobile station authentication would be as follows. A user directs the mobile station to institute a telephone call. The mobile station determines whether the stored value of the authentication information element (AUTH) is set to xe2x80x9c01,xe2x80x9d indicating that standard authentication mode should be used. If set to xe2x80x9c01,xe2x80x9d the mobile station calculates the value of the Authentication Signature information element (AUTH SIGNATURE) in accordance with certain authentication algorithms described in xe2x80x9cCommon Cryptographic Algorithms,xe2x80x9d a publication available through the Telecommunications Industry Association but subject to restricted distribution. The AUTH_SIGNATURE input parameters and the values supplied by the mobile station for origination authentication would be as follows:
where RANDs=Stored Random Challenge Memory, the stored value of the 32-bit Random Challenge Memory (RAND); ESNp=Electronic Serial Number, a 32-bit value that uniquely identifies the mobile station stored in the permanent memory of the mobile station; and DIGITS=the encoded last six digits of the CHARi field in the mobile station Origination Message.
Once the mobile station calculates AUTH_SIGNATURE, the AUTHR field of the mobile station Origination Message is set to the value of AUTH_SIGNATURE, the RANDC field is set to the eight most significant bits of RANDs and the Origination Message is transmitted to the base station. The base station then computes the value of AUTHR in the same manner as the mobile station, using its internally stored value of SSD_A, compares this computed value with the value of AUTHR received from the mobile station, and compares the received value of RANDC to the eight most significant bits of its internally stored value of RAND. If the comparisons executed at the base station are successful, the base station will initiate the procedures used to assign the mobile station to various Traffic Channels. If either of the comparisons fail, the base station may deny service, initiate the Unique Challenge-Response Procedure or commence the SSD Update Procedure.
In typical cellular telephone systems the available frequency spectrum is divided into a number of channels, each of which is used for different purposes. In IS-95 configured CDMA systems, one of those channels is the Paging Channel. The Paging Channel is an encoded, interleaved, spread, and modulated spread spectrum signal that base stations use to transmit system overhead information and mobile station specific messages to mobile stations that have not been assigned to a Traffic Channel. One of the messages transmitted on the Paging Channel and monitored by mobile stations is the Access Parameters Message. The Access Parameters Message is a variable length message having twenty-seven fields, including the Authentication Mode (AUTH) and RAND fields. The AUTH field is a 2-bit field whose value is set to xe2x80x9c01xe2x80x9d by a base station if mobile stations are to include standard authentication data in Access Channel messages sent to that base station. If mobile stations should not include standard authentication data in Access Channel messages, the base station will set the value of the AUTH field to xe2x80x9c00.xe2x80x9d The RAND field is a 0- or 32-bit field whose value is set to the 32-bit RCV that mobile stations are to use in the authentication procedures when the AUTH field has been set to xe2x80x9c01.xe2x80x9d Base stations set the value of RAND in the CDMA Access Parameters Message equal to the concatenation of the 16-bit RAND1_A and RAND1_B overhead information words periodically appended to the System Parameter Overhead Messages transmitted by base stations to mobile stations on the analog Forward Control Channel.
In CDMA systems, the RCV is intended to be a random 32-bit number so that it will not repeat for approximately 8000 years. The 8000 years before repeat property is an important security feature, rendering it essentially impossible for an attacker to predict what the RCV will be at any point in the future. For a number of reasons, it has been found that it is advantageous to change the RCV used in the authentication process frequently, potentially every minute. Changing the RCV every minute however, introduces the problem that duplicate values of the RCV will begin appearing after approximately 216 minutes (about 45 days) if the RCV is generated truly at random. It has also been found that there are certain advantages to be gained by synchronizing the RCV across cellular systems. Communicating the RCV throughout the network of cellular systems; however, which would be required if the synchronized RCV were truly random, would be difficult and expensive.
It has therefore been proposed in U.S. patent application Ser. No. 09/036,941, filed Mar. 9, 1998, entitled METHOD FOR GENERATING A BROADCAST CHALLENGE VALUE, now U.S. Pat. No. 6,285,873 issued Sep. 4, 2001, which is assigned to the assignee of the present invention and fully incorporated herein by reference, to utilize a combination of maximal-length linear feedback shift registers (LFSRs) based counters in base stations to generate the 32-bit RCV. The combination of maximal-length LFSR based counters will not generate a repeat RCV for approximately 232xe2x88x92224 minutes (about 8000 years), and will never generate an RCV with a zero leading octet. Having a non-zero leading octet is important because only the eight most significant bits of RANDs are utilized in a number of authentication operations. Synchronizing the RCV across cellular systems is simple and inexpensive with an LFSR based counter as well. Any base station in the system may calculate the proper RCV for any particular time given a starting position, the number of minutes that have elapsed since that starting position and a global time reference. As discussed more fully in U.S. Pat. No. 6,285,873 incorporated by reference above, using GPS system time as the global time reference is preferred.
There are however drawbacks to the use of an LFSR based counter to generate the RCV. Specifically, using an LFSR based counter results in the loss of RCV unpredictability. By observing only an hour or so of the RCVs generated by a base station with an LFSR based counter and transmitted to the mobile stations in the Access Parameters Message, an attacker may be able to derive and understand the formula used by the LFSR based counter. Having derived the formula, the attacker could then predict the RCV for any given time in the future.
Hence, there is a need for a secure method of generating and communicating the RCV to mobile stations that does not lose the unpredictability of a truly random number but can be simply and economically synchronized across cellular telephone systems.
The present invention is directed to a method and apparatus for generating and communicating random challenge values to mobile stations that does not lose the unpredictability of a truly random number but can be simply and economically synchronized across cellular systems. The invention comprises a method and apparatus for updating a binary number to be used in cellular telephone system authentication procedures, that applies a first algorithm to a plurality of most significant bits of a first binary number to obtain a second binary number; operates on a plurality of least significant bits of the first binary number with a second algorithm to obtain a third binary number, and applies a block cipher to the concatenation of the second and third numbers to obtain the updated binary number. In a particular embodiment of the invention, the block cipher comprises a modified version of the SKIPJACK block cipher encryption function. In yet another embodiment of the invention, when the most significant bits of the updated binary number comprise an all-zeroes number they are replaced with the most significant bits of the concatenation of the second and third numbers.